From c5e90053253e4789d5fb78e2b0b63b8016122660 Mon Sep 17 00:00:00 2001
From: Bruce Bolt <bruce.bolt@digital.cabinet-office.gov.uk>
Date: Tue, 8 Oct 2024 10:47:41 +0100
Subject: [PATCH 1/2] Configure hosts for application

Note: the healthcheck endpoints are requested by IP, not domain, so we
need to specifically exclude them from the protection.
---
 config/environments/production.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 009d5e9fa..d610198df 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -101,4 +101,12 @@
     logger.formatter = config.log_formatter
     config.logger    = ActiveSupport::TaggedLogging.new(logger)
   end
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  config.hosts = [
+    /publisher\..*gov.uk?/,
+  ]
+
+  # Skip DNS rebinding protection for the default health check endpoint.
+  config.host_authorization = { exclude: ->(request) { request.path.match?("^\/healthcheck") } }
 end

From af33f04024901d28dc4e44d6754d8399aa90ebd6 Mon Sep 17 00:00:00 2001
From: Mark Taylor <138604938+mtaylorgds@users.noreply.github.com>
Date: Fri, 11 Oct 2024 10:24:54 +0100
Subject: [PATCH 2/2] Update host matching

---
 config/environments/production.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index d610198df..76a35f7cf 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -104,7 +104,7 @@
 
   # Enable DNS rebinding protection and other `Host` header attacks.
   config.hosts = [
-    /publisher\..*gov.uk?/,
+    /publisher\..*\.gov.uk/,
   ]
 
   # Skip DNS rebinding protection for the default health check endpoint.